admin/admins.php

@@ -3,7 +3,7 @@ require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
 // Check admin login
-if (!isset($_SESSION["admin_logged_in"]) || !$_SESSION["admin_logged_in"]) {
+if (!isset($_SESSION['admin_logged_in']) || !$_SESSION['admin_logged_in']) {
     header("Location: login.php");
     exit();
 }
@@ -24,20 +24,20 @@ function isValidAdminEmailInput($email)
     return isValidAdminEmail($email);
 }
 
-if ($_SERVER["REQUEST_METHOD"] === "POST") {
+if ($_SERVER['REQUEST_METHOD'] === "POST") {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
-        if (isset($_POST["add_admin"])) {
-            $username = normalizeAdminUsername($_POST["username"] ?? "");
+        if (isset($_POST['add_admin'])) {
+            $username = normalizeAdminUsername($_POST['username'] ?? "");
             $description = normalizeAdminDescription(
-                $_POST["description"] ?? "",
+                $_POST['description'] ?? "",
             );
-            $email = normalizeAdminEmail($_POST["email"] ?? "");
-            $password = $_POST["password"] ?? "";
-            $passwordConfirm = $_POST["password_confirm"] ?? "";
+            $email = normalizeAdminEmail($_POST['email'] ?? "");
+            $password = $_POST['password'] ?? "";
+            $passwordConfirm = $_POST['password_confirm'] ?? "";
 
             if (!isValidAdminUsername($username)) {
                 $message =
@@ -67,24 +67,28 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     "description" => $description,
                     "email" => $email,
                 ];
-                saveAdminAccounts($adminAccounts);
-                logAccess("Admin added admin account", [
-                    "username" => $username,
-                    "description" => $description,
-                ]);
-                $message = "Admin wurde erfolgreich angelegt.";
-                $messageType = "success";
+                if (saveAdminAccounts($adminAccounts)) {
+                    logAccess("Admin added admin account", [
+                        "username" => $username,
+                        "description" => $description,
+                    ]);
+                    $message = "Admin wurde erfolgreich angelegt.";
+                    $messageType = "success";
+                } else {
+                    $message = "Admin konnte nicht gespeichert werden.";
+                    $messageType = "error";
+                }
             }
         }
 
-        if (isset($_POST["update_description"])) {
+        if (isset($_POST['update_description'])) {
             $targetUsername = normalizeAdminUsername(
-                $_POST["target_username"] ?? "",
+                $_POST['target_username'] ?? "",
             );
             $description = normalizeAdminDescription(
-                $_POST["description"] ?? "",
+                $_POST['description'] ?? "",
             );
-            $email = normalizeAdminEmail($_POST["email"] ?? "");
+            $email = normalizeAdminEmail($_POST['email'] ?? "");
 
             if (!isset($adminAccounts[$targetUsername])) {
                 $message = "Admin nicht gefunden.";
@@ -98,21 +102,25 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
             } else {
                 $adminAccounts[$targetUsername]["description"] = $description;
                 $adminAccounts[$targetUsername]["email"] = $email;
-                saveAdminAccounts($adminAccounts);
-                logAccess("Admin updated admin description", [
-                    "username" => $targetUsername,
-                ]);
-                $message = "Beschreibung und E-Mail wurden aktualisiert.";
-                $messageType = "success";
+                if (saveAdminAccounts($adminAccounts)) {
+                    logAccess("Admin updated admin description", [
+                        "username" => $targetUsername,
+                    ]);
+                    $message = "Beschreibung und E-Mail wurden aktualisiert.";
+                    $messageType = "success";
+                } else {
+                    $message = "Änderungen konnten nicht gespeichert werden.";
+                    $messageType = "error";
+                }
             }
         }
 
-        if (isset($_POST["change_password"])) {
+        if (isset($_POST['change_password'])) {
             $targetUsername = normalizeAdminUsername(
-                $_POST["target_username"] ?? "",
+                $_POST['target_username'] ?? "",
             );
-            $newPassword = $_POST["new_password"] ?? "";
-            $newPasswordConfirm = $_POST["new_password_confirm"] ?? "";
+            $newPassword = $_POST['new_password'] ?? "";
+            $newPasswordConfirm = $_POST['new_password_confirm'] ?? "";
 
             if (!isset($adminAccounts[$targetUsername])) {
                 $message = "Admin nicht gefunden.";
@@ -127,18 +135,22 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                 $adminAccounts[$targetUsername][
                     "password_hash"
                 ] = password_hash($newPassword, PASSWORD_BCRYPT);
-                saveAdminAccounts($adminAccounts);
-                logAccess("Admin changed admin password", [
-                    "username" => $targetUsername,
-                ]);
-                $message = "Passwort wurde aktualisiert.";
-                $messageType = "success";
+                if (saveAdminAccounts($adminAccounts)) {
+                    logAccess("Admin changed admin password", [
+                        "username" => $targetUsername,
+                    ]);
+                    $message = "Passwort wurde aktualisiert.";
+                    $messageType = "success";
+                } else {
+                    $message = "Passwort konnte nicht gespeichert werden.";
+                    $messageType = "error";
+                }
             }
         }
 
-        if (isset($_POST["delete_admin"])) {
+        if (isset($_POST['delete_admin'])) {
             $targetUsername = normalizeAdminUsername(
-                $_POST["target_username"] ?? "",
+                $_POST['target_username'] ?? "",
             );
 
             if (!isset($adminAccounts[$targetUsername])) {
@@ -146,24 +158,29 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                 $messageType = "error";
             } else {
                 unset($adminAccounts[$targetUsername]);
-                saveAdminAccounts($adminAccounts);
-                logAccess("Admin deleted admin account", [
-                    "username" => $targetUsername,
-                ]);
+                if (!saveAdminAccounts($adminAccounts)) {
+                    $message = "Admin konnte nicht gelöscht werden.";
+                    $messageType = "error";
+                    $adminAccounts = getAdminAccounts();
+                } else {
+                    logAccess("Admin deleted admin account", [
+                        "username" => $targetUsername,
+                    ]);
 
-                if (
-                    isset($_SESSION["admin_username"]) &&
-                    $_SESSION["admin_username"] === $targetUsername
-                ) {
-                    $_SESSION["admin_logged_in"] = false;
-                    unset($_SESSION["admin_username"]);
-                    session_destroy();
-                    header("Location: login.php");
-                    exit();
-                }
+                    if (
+                        isset($_SESSION['admin_username']) &&
+                        $_SESSION['admin_username'] === $targetUsername
+                    ) {
+                        $_SESSION['admin_logged_in'] = false;
+                        unset($_SESSION['admin_username']);
+                        session_destroy();
+                        header("Location: login.php");
+                        exit();
+                    }
 
-                $message = "Admin wurde gelöscht.";
-                $messageType = "success";
+                    $message = "Admin wurde gelöscht.";
+                    $messageType = "success";
+                }
             }
         }
 
@@ -171,13 +188,13 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
     }
 }
 
-$currentAdmin = isset($_SESSION["admin_username"])
-    ? normalizeAdminUsername($_SESSION["admin_username"])
+$currentAdmin = isset($_SESSION['admin_username'])
+    ? normalizeAdminUsername($_SESSION['admin_username'])
     : "";
-$changeUsername = normalizeAdminUsername($_GET["change"] ?? "");
+$changeUsername = normalizeAdminUsername($_GET['change'] ?? "");
 $selectedChangeUser = null;
 $editDescriptionUsername = normalizeAdminUsername(
-    $_GET["edit_description"] ?? "",
+    $_GET['edit_description'] ?? "",
 );
 $selectedDescriptionUser = null;
 

admin/categories.php

@@ -3,7 +3,7 @@ require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
 // Check admin login
-if (!isset($_SESSION["admin_logged_in"]) || !$_SESSION["admin_logged_in"]) {
+if (!isset($_SESSION['admin_logged_in']) || !$_SESSION['admin_logged_in']) {
     header("Location: login.php");
     exit();
 }
@@ -14,14 +14,14 @@ $messageType = "";
 $categories = getCategories();
 $products = getProducts();
 
-if ($_SERVER["REQUEST_METHOD"] === "POST") {
+if ($_SERVER['REQUEST_METHOD'] === "POST") {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
-        if (isset($_POST["add_category"])) {
-            $label = normalizeCategoryLabel($_POST["label"] ?? "");
+        if (isset($_POST['add_category'])) {
+            $label = normalizeCategoryLabel($_POST['label'] ?? "");
 
             if (!isValidCategoryLabel($label)) {
                 $message =
@@ -33,19 +33,23 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     "id" => $categoryId,
                     "label" => $label,
                 ];
-                saveCategories($categories);
-                logAccess("Admin added category", [
-                    "category_id" => $categoryId,
-                    "label" => $label,
-                ]);
-                $message = "Kategorie wurde erfolgreich angelegt.";
-                $messageType = "success";
+                if (saveCategories($categories)) {
+                    logAccess("Admin added category", [
+                        "category_id" => $categoryId,
+                        "label" => $label,
+                    ]);
+                    $message = "Kategorie wurde erfolgreich angelegt.";
+                    $messageType = "success";
+                } else {
+                    $message = "Kategorie konnte nicht gespeichert werden.";
+                    $messageType = "error";
+                }
             }
         }
 
-        if (isset($_POST["update_category"])) {
-            $categoryId = normalizeCategoryId($_POST["category_id"] ?? "");
-            $label = normalizeCategoryLabel($_POST["label"] ?? "");
+        if (isset($_POST['update_category'])) {
+            $categoryId = normalizeCategoryId($_POST['category_id'] ?? "");
+            $label = normalizeCategoryLabel($_POST['label'] ?? "");
             $found = false;
 
             if (!isValidCategoryLabel($label)) {
@@ -66,19 +70,24 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     $message = "Kategorie nicht gefunden.";
                     $messageType = "error";
                 } else {
-                    saveCategories($categories);
-                    logAccess("Admin updated category", [
-                        "category_id" => $categoryId,
-                        "label" => $label,
-                    ]);
-                    $message = "Kategorie wurde erfolgreich aktualisiert.";
-                    $messageType = "success";
+                    if (saveCategories($categories)) {
+                        logAccess("Admin updated category", [
+                            "category_id" => $categoryId,
+                            "label" => $label,
+                        ]);
+                        $message = "Kategorie wurde erfolgreich aktualisiert.";
+                        $messageType = "success";
+                    } else {
+                        $message =
+                            "Kategorie konnte nicht gespeichert werden.";
+                        $messageType = "error";
+                    }
                 }
             }
         }
 
-        if (isset($_POST["delete_category"])) {
-            $categoryId = normalizeCategoryId($_POST["category_id"] ?? "");
+        if (isset($_POST['delete_category'])) {
+            $categoryId = normalizeCategoryId($_POST['category_id'] ?? "");
             $label = "";
             $found = false;
 
@@ -106,13 +115,17 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     $message = "Kategorie nicht gefunden.";
                     $messageType = "error";
                 } else {
-                    saveCategories($categories);
-                    logAccess("Admin deleted category", [
-                        "category_id" => $categoryId,
-                        "label" => $label,
-                    ]);
-                    $message = "Kategorie wurde gelöscht.";
-                    $messageType = "success";
+                    if (saveCategories($categories)) {
+                        logAccess("Admin deleted category", [
+                            "category_id" => $categoryId,
+                            "label" => $label,
+                        ]);
+                        $message = "Kategorie wurde gelöscht.";
+                        $messageType = "success";
+                    } else {
+                        $message = "Kategorie konnte nicht gelöscht werden.";
+                        $messageType = "error";
+                    }
                 }
             }
         }
@@ -122,7 +135,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
     }
 }
 
-$editCategoryId = normalizeCategoryId($_GET["edit"] ?? "");
+$editCategoryId = normalizeCategoryId($_GET['edit'] ?? "");
 $editingCategory = null;
 if ($editCategoryId !== "") {
     $editingCategory = getCategoryById($editCategoryId);

admin/faq.php

@@ -3,7 +3,7 @@ require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
 // Check admin login
-if (!isset($_SESSION["admin_logged_in"]) || !$_SESSION["admin_logged_in"]) {
+if (!isset($_SESSION['admin_logged_in']) || !$_SESSION['admin_logged_in']) {
     header("Location: login.php");
     exit();
 }
@@ -12,17 +12,21 @@ $pageTitle = "FAQ bearbeiten";
 $message = "";
 $messageType = "";
 
-if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["save_faq"])) {
+if ($_SERVER['REQUEST_METHOD'] === "POST" && isset($_POST['save_faq'])) {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
-        $content = isset($_POST["content"]) ? (string) $_POST["content"] : "";
-        saveFaqContent($content);
-        logAccess("Admin updated FAQ content");
-        $message = "FAQ-Inhalt wurde gespeichert.";
-        $messageType = "success";
+        $content = isset($_POST['content']) ? (string) $_POST['content'] : "";
+        if (saveFaqContent($content)) {
+            logAccess("Admin updated FAQ content");
+            $message = "FAQ-Inhalt wurde gespeichert.";
+            $messageType = "success";
+        } else {
+            $message = "FAQ-Inhalt konnte nicht gespeichert werden.";
+            $messageType = "error";
+        }
     }
 }
 

admin/index.php

@@ -61,7 +61,10 @@ include __DIR__ . '/../includes/header.php';
                 <a href="settings.php">Einstellungen</a>
                 <a href="faq.php">FAQ bearbeiten</a>
                 <a href="admins.php">Admins verwalten</a>
-                <a href="login.php?logout=1">Abmelden</a>
+                <form method="POST" action="login.php" class="inline-form">
+                    <?php echo csrfField(); ?>
+                    <button type="submit" name="logout" class="btn btn-secondary btn-small">Abmelden</button>
+                </form>
             </div>
         </details>
     </div>

admin/login.php

@@ -2,32 +2,48 @@
 require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
-// Handle logout
-if (isset($_GET["logout"])) {
-    $_SESSION["admin_logged_in"] = false;
-    unset($_SESSION["admin_username"]);
-    session_destroy();
-    header("Location: login.php");
-    exit();
-}
-
 $error = "";
 
-if ($_SERVER["REQUEST_METHOD"] === "POST") {
+// Handle logout via POST + CSRF
+if ($_SERVER['REQUEST_METHOD'] === "POST" && isset($_POST['logout'])) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
+        $error = "Ungültiges Token. Bitte versuchen Sie es erneut.";
+    } else {
+        $_SESSION = [];
+        if (ini_get("session.use_cookies")) {
+            $params = session_get_cookie_params();
+            setcookie(
+                session_name(),
+                "",
+                time() - 42000,
+                $params["path"],
+                $params["domain"],
+                $params["secure"],
+                $params["httponly"],
+            );
+        }
+        session_destroy();
+        header("Location: login.php");
+        exit();
+    }
+}
+
+if ($_SERVER['REQUEST_METHOD'] === "POST") {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $error = "Ungültiges Token. Bitte versuchen Sie es erneut.";
     } else {
-        $username = normalizeAdminUsername($_POST["username"] ?? "");
-        $password = $_POST["password"] ?? "";
+        $username = normalizeAdminUsername($_POST['username'] ?? "");
+        $password = $_POST['password'] ?? "";
 
         $users = getAdminUsers();
         if (
             isset($users[$username]) &&
             password_verify($password, $users[$username])
         ) {
-            $_SESSION["admin_logged_in"] = true;
-            $_SESSION["admin_username"] = $username;
+            session_regenerate_id(true);
+            $_SESSION['admin_logged_in'] = true;
+            $_SESSION['admin_username'] = $username;
             logAccess("Admin login successful", ["username" => $username]);
             header("Location: index.php");
             exit();
@@ -39,7 +55,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 }
 
 // Redirect if already logged in
-if (isset($_SESSION["admin_logged_in"]) && $_SESSION["admin_logged_in"]) {
+if (isset($_SESSION['admin_logged_in']) && $_SESSION['admin_logged_in']) {
     header("Location: index.php");
     exit();
 }

admin/orders.php

@@ -2,7 +2,7 @@
 require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
-if (empty($_SESSION["admin_logged_in"])) {
+if (empty($_SESSION['admin_logged_in'])) {
     header("Location: login.php");
     exit();
 }
@@ -14,17 +14,17 @@ $message = "";
 $messageType = "";
 
 if (
-    $_SERVER["REQUEST_METHOD"] === "POST" &&
-    isset($_POST["toggle_item_processed"])
+    $_SERVER['REQUEST_METHOD'] === "POST" &&
+    isset($_POST['toggle_item_processed'])
 ) {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
         $result = toggleOrderItemProcessed(
-            $_POST["order_id"] ?? "",
-            (int) ($_POST["item_index"] ?? -1),
+            $_POST['order_id'] ?? "",
+            (int) ($_POST['item_index'] ?? -1),
         );
         $message = $result["success"]
             ? "Position wurde aktualisiert."
@@ -33,25 +33,25 @@ if (
 
         if ($result["success"]) {
             logAccess("Admin toggled order item", [
-                "admin" => $_SESSION["admin_username"] ?? "unknown",
-                "order_id" => $_POST["order_id"] ?? "",
-                "item_index" => $_POST["item_index"] ?? -1,
+                "admin" => $_SESSION['admin_username'] ?? "unknown",
+                "order_id" => $_POST['order_id'] ?? "",
+                "item_index" => $_POST['item_index'] ?? -1,
             ]);
         }
     }
 }
 
-if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["cancel_order"])) {
+if ($_SERVER['REQUEST_METHOD'] === "POST" && isset($_POST['cancel_order'])) {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
-        $adminUsername = $_SESSION["admin_username"] ?? "";
+        $adminUsername = $_SESSION['admin_username'] ?? "";
         $result = cancelOrder(
-            $_POST["order_id"] ?? "",
+            $_POST['order_id'] ?? "",
             $adminUsername,
-            $_POST["cancellation_reason"] ?? "",
+            $_POST['cancellation_reason'] ?? "",
         );
         $message = $result["success"]
             ? "Bestellung wurde storniert."
@@ -61,7 +61,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["cancel_order"])) {
         if ($result["success"]) {
             logAccess("Admin cancelled order", [
                 "admin" => $adminUsername,
-                "order_id" => $_POST["order_id"] ?? "",
+                "order_id" => $_POST['order_id'] ?? "",
             ]);
         }
     }
@@ -72,9 +72,9 @@ usort($orders, function ($left, $right) {
     return strcmp($right["created_at"], $left["created_at"]);
 });
 
-$filter = trim((string) ($_GET["filter"] ?? "all"));
-$searchOrderId = trim((string) ($_GET["order_id"] ?? ""));
-$selectedOrderId = trim((string) ($_GET["details"] ?? $searchOrderId));
+$filter = trim((string) ($_GET['filter'] ?? "all"));
+$searchOrderId = trim((string) ($_GET['order_id'] ?? ""));
+$selectedOrderId = trim((string) ($_GET['details'] ?? $searchOrderId));
 
 if ($searchOrderId !== "") {
     $orders = array_values(

admin/organizations.php

@@ -2,7 +2,7 @@
 require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
-if (empty($_SESSION["admin_logged_in"])) {
+if (empty($_SESSION['admin_logged_in'])) {
     header("Location: login.php");
     exit();
 }
@@ -12,16 +12,16 @@ $message = "";
 $messageType = "";
 $organizations = getOrganizations(false);
 
-if ($_SERVER["REQUEST_METHOD"] === "POST") {
+if ($_SERVER['REQUEST_METHOD'] === "POST") {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
-        if (isset($_POST["add_organization"])) {
-            $label = normalizeOrganizationLabel($_POST["label"] ?? "");
-            $sortOrder = (int) ($_POST["sort_order"] ?? 0);
-            $active = isset($_POST["active"]);
+        if (isset($_POST['add_organization'])) {
+            $label = normalizeOrganizationLabel($_POST['label'] ?? "");
+            $sortOrder = (int) ($_POST['sort_order'] ?? 0);
+            $active = isset($_POST['active']);
 
             if (!isValidOrganizationLabel($label)) {
                 $message =
@@ -38,23 +38,27 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     "sort_order" => $sortOrder,
                     "active" => $active,
                 ];
-                saveOrganizations($organizations);
-                logAccess("Admin added organization", [
-                    "org_id" => $orgId,
-                    "label" => $label,
-                ]);
-                $message = "Organisation wurde angelegt.";
-                $messageType = "success";
+                if (saveOrganizations($organizations)) {
+                    logAccess("Admin added organization", [
+                        "org_id" => $orgId,
+                        "label" => $label,
+                    ]);
+                    $message = "Organisation wurde angelegt.";
+                    $messageType = "success";
+                } else {
+                    $message = "Organisation konnte nicht gespeichert werden.";
+                    $messageType = "error";
+                }
             }
         }
 
-        if (isset($_POST["update_organization"])) {
+        if (isset($_POST['update_organization'])) {
             $organizationId = normalizeOrganizationId(
-                $_POST["organization_id"] ?? "",
+                $_POST['organization_id'] ?? "",
             );
-            $label = normalizeOrganizationLabel($_POST["label"] ?? "");
-            $sortOrder = (int) ($_POST["sort_order"] ?? 0);
-            $active = isset($_POST["active"]);
+            $label = normalizeOrganizationLabel($_POST['label'] ?? "");
+            $sortOrder = (int) ($_POST['sort_order'] ?? 0);
+            $active = isset($_POST['active']);
             $updated = false;
 
             if (!isValidOrganizationLabel($label)) {
@@ -76,13 +80,18 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                 unset($organization);
 
                 if ($updated) {
-                    saveOrganizations($organizations);
-                    logAccess("Admin updated organization", [
-                        "org_id" => $organizationId,
-                        "label" => $label,
-                    ]);
-                    $message = "Organisation wurde aktualisiert.";
-                    $messageType = "success";
+                    if (saveOrganizations($organizations)) {
+                        logAccess("Admin updated organization", [
+                            "org_id" => $organizationId,
+                            "label" => $label,
+                        ]);
+                        $message = "Organisation wurde aktualisiert.";
+                        $messageType = "success";
+                    } else {
+                        $message =
+                            "Organisation konnte nicht gespeichert werden.";
+                        $messageType = "error";
+                    }
                 } else {
                     $message = "Organisation nicht gefunden.";
                     $messageType = "error";
@@ -90,9 +99,9 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
             }
         }
 
-        if (isset($_POST["delete_organization"])) {
+        if (isset($_POST['delete_organization'])) {
             $organizationId = normalizeOrganizationId(
-                $_POST["organization_id"] ?? "",
+                $_POST['organization_id'] ?? "",
             );
             $orgLabel = "";
             $found = false;
@@ -109,21 +118,25 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     return $organization["id"] !== $organizationId;
                 }),
             );
-            saveOrganizations($organizations);
-            logAccess("Admin deleted organization", [
-                "org_id" => $organizationId,
-                "label" => $orgLabel,
-            ]);
-            $message = "Organisation wurde gelöscht.";
-            $messageType = "success";
+            if (saveOrganizations($organizations)) {
+                logAccess("Admin deleted organization", [
+                    "org_id" => $organizationId,
+                    "label" => $orgLabel,
+                ]);
+                $message = "Organisation wurde gelöscht.";
+                $messageType = "success";
+            } else {
+                $message = "Organisation konnte nicht gelöscht werden.";
+                $messageType = "error";
+            }
         }
 
         $organizations = getOrganizations(false);
     }
 }
 
-$editingOrganization = isset($_GET["edit"])
-    ? getOrganizationById($_GET["edit"])
+$editingOrganization = isset($_GET['edit'])
+    ? getOrganizationById($_GET['edit'])
     : null;
 
 $bodyClass = "admin-page";

admin/products.php

@@ -2,7 +2,7 @@
 require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
-if (empty($_SESSION["admin_logged_in"])) {
+if (empty($_SESSION['admin_logged_in'])) {
     header("Location: login.php");
     exit();
 }
@@ -142,9 +142,9 @@ function getSubmittedProductCategoryIds($submittedValues)
     return $validCategoryIds;
 }
 
-if ($_SERVER["REQUEST_METHOD"] === "POST") {
+if ($_SERVER['REQUEST_METHOD'] === "POST") {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
@@ -154,8 +154,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
             $message = "Bitte zuerst mindestens eine Kategorie anlegen.";
             $messageType = "error";
         } elseif (
-            isset($_POST["add_product"]) ||
-            isset($_POST["update_product"])
+            isset($_POST['add_product']) ||
+            isset($_POST['update_product'])
         ) {
             $uploadResult = handleImageUpload();
             if (!$uploadResult["success"]) {
@@ -164,8 +164,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
             } else {
                 $categoryIds = getSubmittedProductCategoryIds($_POST);
                 $existingLabels = [];
-                $productId = isset($_POST["product_id"])
-                    ? (int) $_POST["product_id"]
+                $productId = isset($_POST['product_id'])
+                    ? (int) $_POST['product_id']
                     : 0;
                 foreach ($products as $product) {
                     if ((int) $product["id"] === $productId) {
@@ -175,7 +175,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                 }
 
                 $sizeData = buildProductAvailabilityFields(
-                    $_POST["sizes"] ?? "",
+                    $_POST['sizes'] ?? "",
                     $_POST,
                     $existingLabels,
                 );
@@ -186,15 +186,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     $messageType = "error";
                 } else {
                     $record = [
-                        "name" => sanitize($_POST["name"] ?? ""),
+                        "name" => sanitize($_POST['name'] ?? ""),
                         "description" => trim(
-                            (string) ($_POST["description"] ?? ""),
+                            (string) ($_POST['description'] ?? ""),
                         ),
                         "categories" => $categoryIds,
                         "image" =>
                             $uploadResult["filename"] !== null
                                 ? $uploadResult["filename"]
-                                : trim((string) ($_POST["image"] ?? "")),
+                                : trim((string) ($_POST['image'] ?? "")),
                         "sizes" => $sizeData["sizes"],
                         "availability_labels" =>
                             $sizeData["availability_labels"],
@@ -203,7 +203,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     if ($record["name"] === "") {
                         $message = "Bitte einen Produktnamen eingeben.";
                         $messageType = "error";
-                    } elseif (isset($_POST["add_product"])) {
+                    } elseif (isset($_POST['add_product'])) {
                         $newId = empty($products)
                             ? 1
                             : max(
@@ -213,13 +213,18 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                                 ) + 1;
                         $record["id"] = $newId;
                         $products[] = $record;
-                        saveProducts($products);
-                        logAccess("Admin added product", [
-                            "product_id" => $newId,
-                            "product_name" => $record["name"],
-                        ]);
-                        $message = "Produkt wurde angelegt.";
-                        $messageType = "success";
+                        if (saveProducts($products)) {
+                            logAccess("Admin added product", [
+                                "product_id" => $newId,
+                                "product_name" => $record["name"],
+                            ]);
+                            $message = "Produkt wurde angelegt.";
+                            $messageType = "success";
+                        } else {
+                            $message =
+                                "Produkt konnte nicht gespeichert werden.";
+                            $messageType = "error";
+                        }
                     } else {
                         $updated = false;
                         foreach ($products as &$product) {
@@ -233,13 +238,18 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                         unset($product);
 
                         if ($updated) {
-                            saveProducts($products);
-                            logAccess("Admin updated product", [
-                                "product_id" => $productId,
-                                "product_name" => $record["name"],
-                            ]);
-                            $message = "Produkt wurde aktualisiert.";
-                            $messageType = "success";
+                            if (saveProducts($products)) {
+                                logAccess("Admin updated product", [
+                                    "product_id" => $productId,
+                                    "product_name" => $record["name"],
+                                ]);
+                                $message = "Produkt wurde aktualisiert.";
+                                $messageType = "success";
+                            } else {
+                                $message =
+                                    "Produkt konnte nicht gespeichert werden.";
+                                $messageType = "error";
+                            }
                         } else {
                             $message = "Produkt nicht gefunden.";
                             $messageType = "error";
@@ -249,8 +259,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
             }
         }
 
-        if (isset($_POST["delete_product"])) {
-            $productId = (int) ($_POST["product_id"] ?? 0);
+        if (isset($_POST['delete_product'])) {
+            $productId = (int) ($_POST['product_id'] ?? 0);
             $productName = "";
             foreach ($products as $product) {
                 if ((int) $product["id"] === $productId) {
@@ -263,20 +273,24 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                     return (int) $product["id"] !== $productId;
                 }),
             );
-            saveProducts($products);
-            logAccess("Admin deleted product", [
-                "product_id" => $productId,
-                "product_name" => $productName,
-            ]);
-            $message = "Produkt wurde gelöscht.";
-            $messageType = "success";
+            if (saveProducts($products)) {
+                logAccess("Admin deleted product", [
+                    "product_id" => $productId,
+                    "product_name" => $productName,
+                ]);
+                $message = "Produkt wurde gelöscht.";
+                $messageType = "success";
+            } else {
+                $message = "Produkt konnte nicht gelöscht werden.";
+                $messageType = "error";
+            }
         }
     }
 }
 
 $products = getProducts();
-$editingProduct = isset($_GET["edit"])
-    ? getProductById((int) $_GET["edit"])
+$editingProduct = isset($_GET['edit'])
+    ? getProductById((int) $_GET['edit'])
     : null;
 
 $bodyClass = "admin-page";

admin/settings.php

@@ -2,7 +2,7 @@
 require_once __DIR__ . "/../config.php";
 require_once __DIR__ . "/../includes/functions.php";
 
-if (empty($_SESSION["admin_logged_in"])) {
+if (empty($_SESSION['admin_logged_in'])) {
     header("Location: login.php");
     exit();
 }
@@ -11,28 +11,32 @@ $pageTitle = "Einstellungen";
 $message = "";
 $messageType = "";
 
-if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["save_settings"])) {
+if ($_SERVER['REQUEST_METHOD'] === "POST" && isset($_POST['save_settings'])) {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $message = "Ungültiges Token. Bitte versuchen Sie es erneut.";
         $messageType = "error";
     } else {
         $settings = [
-            "order_recipient_email" => $_POST["order_recipient_email"] ?? "",
+            "order_recipient_email" => $_POST['order_recipient_email'] ?? "",
             "order_confirmation_required" => isset(
-                $_POST["order_confirmation_required"],
+                $_POST['order_confirmation_required'],
             ),
             "order_confirmation_expiry_days" =>
-                (int) ($_POST["order_confirmation_expiry_days"] ?? 7),
+                (int) ($_POST['order_confirmation_expiry_days'] ?? 7),
             "attach_order_pdf_to_admin_email" => isset(
-                $_POST["attach_order_pdf_to_admin_email"],
+                $_POST['attach_order_pdf_to_admin_email'],
             ),
         ];
 
-        saveSystemSettings($settings);
-        logAccess("Admin updated system settings");
-        $message = "Einstellungen wurden gespeichert.";
-        $messageType = "success";
+        if (saveSystemSettings($settings)) {
+            logAccess("Admin updated system settings");
+            $message = "Einstellungen wurden gespeichert.";
+            $messageType = "success";
+        } else {
+            $message = "Einstellungen konnten nicht gespeichert werden.";
+            $messageType = "error";
+        }
     }
 }
 

cart.php

@@ -5,12 +5,12 @@ require_once __DIR__ . "/includes/functions.php";
 $pageTitle = "Warenkorb";
 
 if (
-    $_SERVER["REQUEST_METHOD"] === "POST" &&
-    isset($_POST["remove_item_index"])
+    $_SERVER['REQUEST_METHOD'] === "POST" &&
+    isset($_POST['remove_item_index'])
 ) {
     // Validate CSRF token
-    if (validateCsrfToken($_POST["csrf_token"] ?? "")) {
-        removeCartItemByIndex((int) $_POST["remove_item_index"]);
+    if (validateCsrfToken($_POST['csrf_token'] ?? "")) {
+        removeCartItemByIndex((int) $_POST['remove_item_index']);
     }
 }
 

checkout.php

@@ -12,9 +12,9 @@ if (empty($cartItems)) {
     exit();
 }
 
-if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["create_order"])) {
+if ($_SERVER['REQUEST_METHOD'] === "POST" && isset($_POST['create_order'])) {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $errors[] = "Ungültiges Token. Bitte versuchen Sie es erneut.";
     } else {
         $validator = new Validator($_POST);
@@ -30,7 +30,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["create_order"])) {
             ->maxLength("comment", 1000, "Kommentar");
 
         // Validate organization exists
-        $organizationId = $_POST["organization_id"] ?? "";
+        $organizationId = $_POST['organization_id'] ?? "";
         $organizations = getOrganizations(true);
         $validOrgIds = array_column($organizations, "id");
 
@@ -41,9 +41,9 @@ if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["create_order"])) {
         if (!$validator->isValid()) {
             $errors = array_merge($errors, $validator->getErrors());
         } else {
-            $customerName = trim($_POST["customer_name"]);
-            $customerEmail = trim(strtolower($_POST["customer_email"]));
-            $comment = trim($_POST["comment"] ?? "");
+            $customerName = trim($_POST['customer_name']);
+            $customerEmail = trim(strtolower($_POST['customer_email']));
+            $comment = trim($_POST['comment'] ?? "");
 
             $result = createOrder(
                 $customerName,
@@ -113,18 +113,18 @@ include __DIR__ . "/includes/header.php";
             <div class="form-group">
                 <label for="customer_name">Name *</label>
                 <input type="text" id="customer_name" name="customer_name" required value="<?php echo isset(
-                    $_POST["customer_name"],
+                    $_POST['customer_name'],
                 )
-                    ? escape($_POST["customer_name"])
+                    ? escape($_POST['customer_name'])
                     : ""; ?>">
             </div>
 
             <div class="form-group">
                 <label for="customer_email">E-Mail-Adresse *</label>
                 <input type="email" id="customer_email" name="customer_email" required value="<?php echo isset(
-                    $_POST["customer_email"],
+                    $_POST['customer_email'],
                 )
-                    ? escape($_POST["customer_email"])
+                    ? escape($_POST['customer_email'])
                     : ""; ?>">
             </div>
 
@@ -135,8 +135,8 @@ include __DIR__ . "/includes/header.php";
                     <?php foreach ($organizations as $organization): ?>
                         <option value="<?php echo escape(
                             $organization["id"],
-                        ); ?>" <?php echo isset($_POST["organization_id"]) &&
-$_POST["organization_id"] === $organization["id"]
+                        ); ?>" <?php echo isset($_POST['organization_id']) &&
+$_POST['organization_id'] === $organization["id"]
     ? "selected"
     : ""; ?>>
                             <?php echo escape($organization["label"]); ?>
@@ -148,9 +148,9 @@ $_POST["organization_id"] === $organization["id"]
             <div class="form-group">
                 <label for="comment">Kommentar</label>
                 <textarea id="comment" name="comment" rows="5"><?php echo isset(
-                    $_POST["comment"],
+                    $_POST['comment'],
                 )
-                    ? escape($_POST["comment"])
+                    ? escape($_POST['comment'])
                     : ""; ?></textarea>
             </div>
 

config.sample.php

@@ -46,5 +46,15 @@ define('UPLOADS_URL', SITE_URL . '/data/uploads');
 
 // Session settings
 if (session_status() === PHP_SESSION_NONE) {
+    $isHttps =
+        (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== "off") ||
+        (isset($_SERVER['SERVER_PORT']) &&
+            (int) $_SERVER['SERVER_PORT'] === 443);
+
+    ini_set("session.use_strict_mode", "1");
+    ini_set("session.cookie_httponly", "1");
+    ini_set("session.cookie_secure", $isHttps ? "1" : "0");
+    ini_set("session.cookie_samesite", "Lax");
+
     session_start();
 }

includes/functions.php

@@ -69,18 +69,18 @@ function escape($value)
  */
 function generateCsrfToken()
 {
-    if (empty($_SESSION["csrf_token"])) {
-        $_SESSION["csrf_token"] = bin2hex(random_bytes(32));
+    if (empty($_SESSION['csrf_token'])) {
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
     }
-    return $_SESSION["csrf_token"];
+    return $_SESSION['csrf_token'];
 }
 
 function validateCsrfToken($token)
 {
-    if (empty($_SESSION["csrf_token"])) {
+    if (empty($_SESSION['csrf_token'])) {
         return false;
     }
-    return hash_equals($_SESSION["csrf_token"], $token);
+    return hash_equals($_SESSION['csrf_token'], $token);
 }
 
 function csrfField()
@@ -130,7 +130,7 @@ function setFlashMessage($key, $type, $message)
         return;
     }
 
-    $_SESSION["flash_messages"][$key] = [
+    $_SESSION['flash_messages'][$key] = [
         "type" => $type,
         "message" => $message,
     ];
@@ -143,7 +143,7 @@ function consumeFlashMessage($key)
         return null;
     }
 
-    $messages = $_SESSION["flash_messages"] ?? [];
+    $messages = $_SESSION['flash_messages'] ?? [];
     if (
         !is_array($messages) ||
         !isset($messages[$key]) ||
@@ -153,7 +153,7 @@ function consumeFlashMessage($key)
     }
 
     $message = $messages[$key];
-    unset($_SESSION["flash_messages"][$key]);
+    unset($_SESSION['flash_messages'][$key]);
 
     $type = trim((string) ($message["type"] ?? ""));
     $text = trim((string) ($message["message"] ?? ""));
@@ -325,7 +325,7 @@ function saveAdminAccounts($accounts)
     }
 
     ksort($result);
-    writeJsonFile(ADMINS_FILE, ["admins" => $result]);
+    return writeJsonFile(ADMINS_FILE, ["admins" => $result]);
 }
 
 function getDefaultCategories()
@@ -413,7 +413,7 @@ function getCategories()
 
 function saveCategories($categories)
 {
-    writeJsonFile(CATEGORIES_FILE, [
+    return writeJsonFile(CATEGORIES_FILE, [
         "categories" => normalizeCategories($categories),
     ]);
 }
@@ -658,7 +658,7 @@ function saveProducts($products)
         }
     }
 
-    writeJsonFile(PRODUCTS_FILE, ["products" => array_values($normalized)]);
+    return writeJsonFile(PRODUCTS_FILE, ["products" => array_values($normalized)]);
 }
 
 function getFaqFilePath(): string
@@ -694,9 +694,9 @@ function getFaqContent(): string
     return $data["content"];
 }
 
-function saveFaqContent(string $markdown): void
+function saveFaqContent(string $markdown): bool
 {
-    writeJsonFile(getFaqFilePath(), ["content" => (string) $markdown]);
+    return writeJsonFile(getFaqFilePath(), ["content" => (string) $markdown]);
 }
 
 function renderFaqInlineMarkdown(string $text): string
@@ -904,7 +904,7 @@ function getOrganizations($onlyActive = false)
 
 function saveOrganizations($organizations)
 {
-    writeJsonFile(ORGANIZATIONS_FILE, [
+    return writeJsonFile(ORGANIZATIONS_FILE, [
         "organizations" => normalizeOrganizations($organizations),
     ]);
 }
@@ -1006,7 +1006,7 @@ function getSystemSettings()
 
 function saveSystemSettings($settings)
 {
-    writeJsonFile(SETTINGS_FILE, [
+    return writeJsonFile(SETTINGS_FILE, [
         "settings" => normalizeSystemSettings($settings),
     ]);
 }
@@ -1137,6 +1137,7 @@ function saveOrders($orders)
             "order_count" => count($normalized),
         ]);
     }
+    return (bool) $result;
 }
 
 function generateOrderId()
@@ -1349,7 +1350,7 @@ function buildAbsoluteUrl($path)
     }
 
     $scheme = isHttpsRequest() ? "https" : "http";
-    $host = $_SERVER["HTTP_HOST"] ?? "";
+    $host = $_SERVER['HTTP_HOST'] ?? "";
     if ($host === "") {
         return $path;
     }
@@ -1360,20 +1361,20 @@ function buildAbsoluteUrl($path)
 function isHttpsRequest(): bool
 {
     if (
-        !empty($_SERVER["HTTPS"]) &&
-        strtolower((string) $_SERVER["HTTPS"]) !== "off"
+        !empty($_SERVER['HTTPS']) &&
+        strtolower((string) $_SERVER['HTTPS']) !== "off"
     ) {
         return true;
     }
     if (
-        !empty($_SERVER["HTTP_X_FORWARDED_PROTO"]) &&
-        strtolower((string) $_SERVER["HTTP_X_FORWARDED_PROTO"]) === "https"
+        !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
+        strtolower((string) $_SERVER['HTTP_X_FORWARDED_PROTO']) === "https"
     ) {
         return true;
     }
     if (
-        !empty($_SERVER["SERVER_PORT"]) &&
-        (int) $_SERVER["SERVER_PORT"] === 443
+        !empty($_SERVER['SERVER_PORT']) &&
+        (int) $_SERVER['SERVER_PORT'] === 443
     ) {
         return true;
     }
@@ -1707,7 +1708,7 @@ function formatDate($dateString)
 
 function getCart()
 {
-    $cart = $_SESSION["cart"] ?? [];
+    $cart = $_SESSION['cart'] ?? [];
     if (!is_array($cart)) {
         $cart = [];
     }
@@ -1741,8 +1742,8 @@ function getCart()
         ];
     }
 
-    $_SESSION["cart"] = array_values($normalized);
-    return $_SESSION["cart"];
+    $_SESSION['cart'] = array_values($normalized);
+    return $_SESSION['cart'];
 }
 
 function addCartItem($productId, $size = "")
@@ -1785,7 +1786,7 @@ function addCartItem($productId, $size = "")
         }
 
         $cart[$index]["size"] = $size;
-        $_SESSION["cart"] = array_values($cart);
+        $_SESSION['cart'] = array_values($cart);
 
         return [
             "success" => true,
@@ -1800,7 +1801,7 @@ function addCartItem($productId, $size = "")
         "size" => $size,
     ];
 
-    $_SESSION["cart"] = array_values($cart);
+    $_SESSION['cart'] = array_values($cart);
     return [
         "success" => true,
         "status" => "added",
@@ -1813,13 +1814,13 @@ function removeCartItemByIndex($index)
     $cart = getCart();
     if (isset($cart[$index])) {
         unset($cart[$index]);
-        $_SESSION["cart"] = array_values($cart);
+        $_SESSION['cart'] = array_values($cart);
     }
 }
 
 function clearCart()
 {
-    $_SESSION["cart"] = [];
+    $_SESSION['cart'] = [];
 }
 
 function getCartItemsDetailed()
@@ -2340,9 +2341,9 @@ function logError($message, $context = [], $level = "ERROR")
         "level" => $level,
         "message" => $message,
         "context" => $context,
-        "ip" => $_SERVER["REMOTE_ADDR"] ?? "unknown",
-        "user_agent" => $_SERVER["HTTP_USER_AGENT"] ?? "unknown",
-        "request_uri" => $_SERVER["REQUEST_URI"] ?? "unknown",
+        "ip" => $_SERVER['REMOTE_ADDR'] ?? "unknown",
+        "user_agent" => $_SERVER['HTTP_USER_AGENT'] ?? "unknown",
+        "request_uri" => $_SERVER['REQUEST_URI'] ?? "unknown",
         "session_id" => session_id()
             ? substr(session_id(), 0, 8) . "..."
             : "none",
@@ -2367,9 +2368,9 @@ function logAccess($message, $context = [])
         "timestamp" => date("Y-m-d H:i:s.u"),
         "message" => $message,
         "context" => $context,
-        "ip" => $_SERVER["REMOTE_ADDR"] ?? "unknown",
-        "request_method" => $_SERVER["REQUEST_METHOD"] ?? "unknown",
-        "request_uri" => $_SERVER["REQUEST_URI"] ?? "unknown",
+        "ip" => $_SERVER['REMOTE_ADDR'] ?? "unknown",
+        "request_method" => $_SERVER['REQUEST_METHOD'] ?? "unknown",
+        "request_uri" => $_SERVER['REQUEST_URI'] ?? "unknown",
     ];
 
     $logLine = json_encode($entry, JSON_UNESCAPED_UNICODE) . PHP_EOL;

index.php

@@ -6,8 +6,8 @@ $pageTitle = "Startseite";
 $products = getProducts();
 $categories = getCategories();
 
-$category = isset($_GET["category"])
-    ? normalizeCategoryId($_GET["category"])
+$category = isset($_GET['category'])
+    ? normalizeCategoryId($_GET['category'])
     : "";
 if ($category !== "" && getCategoryById($category) !== null) {
     $products = array_values(

product.php

@@ -2,7 +2,7 @@
 require_once __DIR__ . "/config.php";
 require_once __DIR__ . "/includes/functions.php";
 
-$productId = isset($_GET["id"]) ? (int) $_GET["id"] : 0;
+$productId = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 $product = getProductById($productId);
 
 if ($product === null) {
@@ -13,12 +13,12 @@ if ($product === null) {
 $pageTitle = $product["name"];
 $sizes = getProductSizes($product);
 
-if ($_SERVER["REQUEST_METHOD"] === "POST" && isset($_POST["add_to_cart"])) {
+if ($_SERVER['REQUEST_METHOD'] === "POST" && isset($_POST['add_to_cart'])) {
     // Validate CSRF token
-    if (!validateCsrfToken($_POST["csrf_token"] ?? "")) {
+    if (!validateCsrfToken($_POST['csrf_token'] ?? "")) {
         $error = "Ungültiges Token. Bitte versuchen Sie es erneut.";
     } else {
-        $size = trim((string) ($_POST["size"] ?? ""));
+        $size = trim((string) ($_POST['size'] ?? ""));
 
         if (
             !empty($sizes) &&